A modern cybersecurity strategy: Building a budget

By Sheldon Shaw, SAS

For much of the last 15 years, cyberattackers have pursued secrets and money. Certain industries became favorite targets and experienced a disproportionate number of attacks, while others remained relatively unscathed.

That’s changing. And so must security postures. For many, it’s time to enact a modern cybersecurity strategy.

But where to start? It starts at the top. IT security should have senior executive support and be a centrally managed function. Next, the budget. At a minimum, 10 percent of the IT budget should be earmarked for the following cybersecurity fundamentals.

Once you have these security fundamentals solidly in place, you need to measure and build on them with additional products, programs and activities.

Employee education: 1 percent

In the modern organization, the training to support your cybersecurity strategy should be separated from the general training budget. Otherwise, this type of employee education can get lost to other training priorities. All of the organization’s staff should undergo a mandatory training to drive home simple messages such as:

Nigeria has very few princes, and they don’t need you to send them money.

All kidding aside, to make the most of your security awareness investment, spend time developing the curriculum. Outsourcing companies can help deliver the message, but you and your staff need to own the message. The message should be clear and concise – and include context relevant to your business.

Security policy: 2.5 percent

A formal IT security policy is a must and should be tightly coupled with employee education. The policy need not be overly rigid, but it should provide guidance on acceptable use of the Internet and resources attached to it. Shutting off access to social media, web browsing, etc., will not make you a safer company. Employees will find a way around.

Policy language should establish a clear relationship between acceptable use and consequences. They should not viewed as a way to terminate employees, but rather as an extension of your organization’s human resource policy framework. Encourage security policy writers to be creative and engage your audit committee in the process. It is essential that the audit committee understands the behavior your policies attempt to encourage – and how best to measure their effectiveness. Security violations are not an acceptable measure of policy efficacy.

Perimeter solutions: 3 percent

Here, I’ve grouped next-generation data loss prevention, firewall and intrusion prevention technologies together. Combined, these technologies have modernized the security domain over the last few years. While lumping them together may cause heartache among security purists, the core philosophy behind these systems is similar. Their primary goal is to stop suspicious activity based on policy, port or protocol. Much has been written about the “death of the perimeter”; however, these solutions, when properly tuned and maintained, can serve as an important first line of defense.

Security skunk works: 1.5 percent

Each year, try new solutions and test products of interest to potentially augment your cybersecurity strategy. Remember though, piloting success can only come if you engage in the process. Carve out an area of your network where you can introduce new solutions. Employ strong senior managers who understand how to evaluate a product and determine its impact on your security strategy.

A respected co-worker once told me he measured success by “how many smoking holes are on the ground.” He wanted his staff to constantly test the bounds of security. The only way he could tell is if sometimes things weren’t working.

Network awareness: 2 percent

Network awareness should be a critical component of your cybersecurity strategy. Here, it’s important to work with the team that provides your switching and routing fabric and gear to better understand your network awareness. This discovery process will take significantly more time than you expect, but it is well worth the effort.

Once you embark upon this journey, you will find the skeletons in your network. You may even want to create a bounty to uncover bad network management – similar to a software “bug bounty” program – as an incentive for IT teams to take security more seriously.

As you progress, you should uncover a rash of unpatched and vulnerable devices on your network. If you don’t, ask why? You may also uncover hidden VPNs, dangling access lines and broken DNSs. Make and stick to a plan to fix them. The benefit of a regular patch and maintenance program far outweighs any other security expense you can make.

Specialized training for the security team: 1 percent

Your security team likely includes extremely talented individuals. As your primary security offense and defense, these folks need individualized and team training plans. Plans must be established and re-evaluated every year at a minimum. There are excellent training organizations offering specialized security training at all levels. With the war for scarce security talent raging, you can reap tremendous benefits from your existing team through continuing education.

Sheldon Shaw is a cyberanalytics specialist with SAS. Having spent 15 years in the intelligence community, Shaw worked in nuclear counter-proliferation issues and information operations. He has also managed investigative teams that tracked national security intrusions into government systems. He is a Certified Intrusion Analyst and holds a degree from Acadia University.